[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

BXA TAC meeting in Portland yesterday




As noted previously by John Young <http://www.jya.com/bxa082597.htm>, the
Department of Commerce's Bureau of Export Administration's Technical
Advisory Committee held a meeting yesterday in Portland, OR. C2Net paid for
me to fly up to Portland and attend the meeting. The following are notes re
what happened -

It was difficult to determine precisely who is on the Committee and who
isn't; the meeting room had a table with seats for (approx) 15 people; at
that table were seated approx. 10 people who were representing
hardware/software manufacturers, law firms, 2 people from BXA, two "special
guests" from European companies (whose names I didn't recognize), and two
"special guests" from Japanese companies - Susumi Hirai for Sony, and
Kobashi Toduchi for NEC. (apologies for the spelling re Japanese names,
those are my guesses at the correct spellings, but I bet they're wrong.)
There were seats in an "audience section" for another 30 people, all of
which were occupied. Among the companies represented (either in the
audience or on the committee) were Tektronix, Boeing, Dept of Energy,
Motorola, Intel, Rockwell, Novell, McDonnell-Douglas, Boeing, Cisco, and
Sun, and C2Net. The attorney who spoke at a Cypherpunks meeting this spring
re export control was there, don't know if he was there on behalf of PGP
and/or other clients. (arrgh, didn't write his name down because I
remembered it, now I can't remember it.) There was an attorney representing
a consortium of manufacturers.

The meeting opened with a short summary/discussion of current events - this
part produced the most information relevant to crypto and export control
issues. Eileen at BXA (didn't get her last name), who seems to be in charge
of drafting regulations and granting/denying export licenses, said that
they've been slow recently re actions on crypto-related licenses because
they're understaffed, but they have recently hired 10 people to process
crypto-related applications, 8 of whom are in public-contact positions. She
said that they don't have a technical background, but are considered policy
analysts; that they've been receiving technical training from "other
agencies", but their technical training (and their ability to get straight
to work) has been hampered by the slowness of getting security clearances
for them. 2 of the 10 have already been cleared/approved. She said that
they've been learning about the "history of encryption". The public-contact
positions will each handle a section of the alphabet - so, for example, the
first person will handle export applications from individuals/companies
with names starting from A through F, and so on.

Eileen said that they have been circulating a new draft of encryption
regulations relating to/concerning financial institutions; a draft of it
was apparently circulated (I think) to a closed-session meeting of the
Committee previously. One of the committee members asked her for a ballpark
estimate of the date when those regs will be released for public comment,
and she deferred, saying that there were "so many agencies" that had to
look at them that it was too difficult to guess. Apparently, the most
difficult/controversial part of these regulations concerns the definition
of a financial institution (FI); she said that they've been granting
licenses to applicants who are clearly FI's, and that organizations who
think that they might qualify as an FI should write to BXA and request an
advisory letter or opinion letter about whether or not they qualify.

She also said that they've been drafting and circulating export regulations
designed to implement the Wassenaar Arrangement; they've been circulating
inter-agency. She said that they anticipate having the final draft finished
at the end of this week or the beginning of next week, at which point it'll
be sent to the Federal Register for publication; and that FR publication
will take 2 more weeks, so these ought to be available to the public
sometime in mid-October.

She also noted that BXA has been relatively inactive with respect to
enforcement actions re cryptography, but that the enforcement/compliance
section of BXA has also made new hires, and that they anticipate ramping up
enforcement. 5-6 people from the enforcement section were at the meeting
(turns out I sat right next to them) but they all left at 10 AM for another
meeting - among them a DOC/BXA attorney I recognized from the Bernstein
hearings.

After that, the committee spent approx. 2 hours discussing nonproliferation
controls (related to nuclear/biological/chemical weapons) - I didn't bother
with a lot of notes about that, since it's not especially interesting to me
right now. There was a lot of discussion about how difficult it is to
determine whether or not an export is allowed or not - as I understand the
regs it's not permissible to export *anything* which will be used in aid of
producing N/B/C weapons, even otherwise unassuming things like lightbulbs
or ballpoint pens or carpeting or whatever. (I don't know much about this
area of export law, so please don't take my impressions as especially
informative, haven't done reading/research re this and I may be full of
shit. caveat emptor.) Everyone who doesn't work for the government
expressed frustration re the difficulty of figuring out how much effort
they need to put into tracking down the ultimate user(s) and purpose(s) of
otherwise innocuous exports - the BXA folks weren't very helpful, pointing
out that they're going to exercise their discretion not to enforce/punish
exporters who really weren't at fault, but that there were no hard and fast
rules available, either. The discussion here reminded me very much of
recent testimony by the Commerce Dept before Congress - they're more
concerned with intelligence (collecting data re who's buying what, in what
quantities, and when) than they are with preventing people from gaining
access to goods. 

There was also some discussion about foreign implementations of crypto
export controls and Wassenaar - apparently Jim Lewis (the name isn't
familiar to me) and David Aaron are currently in London, lobbying re crypto
export control/key escrow, and a delegation will go to France, Bonn, and
Tel Aviv later this month on a similar mission.

One speaker said that he expects the UK to adopt controls re "intangible"
items - by this he seemed to mean control over the export of "technical
data" and "technical assistance" related to controlled items, similar to
the US' control over providing data/information/assistance to foreigners
related to export-controlled items. It was also noted that there are a lot
of "informal contacts" in the UK between universities and employers and the
visa office, such that the UK has been able to control some access by
foreign people to technical data and information, by refusing them a visa
or otherwise making their desires clear to the people in the UK who they
expect would have contact with the foreign person.

Re Japan, it was noted that Japan began enforcing much stricter export
controls at the end of 1996, shortly after NTI developed a 3DES chip; MITI
(Japan's "technology" ministry? perhaps someone can provide more data here)
has concluded that exports of crypto stronger than 56 bits should be
subject to strict export control. Japan does not have a "general license"
scheme, whereby some products are generally considered eligible for export,
which would apply to crypto - apparently all exports equire a license.
About 100 Japanese companies have applied for or been granted (couldn't
tell from the context) export licenses for crypto. Japan does not have
special "financial institution" exceptions to its crypto export control
laws; but it does implement the "mass market software" exception for crypto
which is part of the Wassenaar Arrangement.

There was some discussion re crypto export control in the EU; the speakers
noted that crypto control laws apply to GSM phones, which (potentially)
would have made them non-portable across national borders, which everyone
(including governments) thought was a stupid result, so GSM phones are
(formally? informally? couldn't tell) exempt from the export control laws.
Similarly, it is now legal to have/use crypto on a laptop for personal use;
at one time, this was not the case, but large companies' policy was that
crypto should be used anyway, regardless of the export control laws. EU
countries are also (apparently) writing the "mass market software"
exception to the WA's control over crypto into their regulations; one
speaker commented that the EU countries are "working on" key recovery. (the
term used was "key escrow").

The consensus of the speakers seemed to be that the TTP/key escrow draft
legislation for the UK is effectively dead, due to the shift in power to
Labor. It was also noted that the Walsh Report re crypto in Australia
recommends that purchasers of crypto equipment in Australia avoid depending
solely on US-based sources for crypto, because of the danger that the US
may implement mandatory key recovery.

I'm on the mailing list to get formal minutes from the meeting, but that
can apparently take up to 90 days. The next meeting will be 12/9/97 in D.C..


--
Greg Broiles                | US crypto export control policy in a nutshell:
[email protected]         | Export jobs, not crypto.
http://www.io.com/~gbroiles | http://www.parrhesia.com